<html>
<head><meta charset="utf-8"><title>Security linter? · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Security.20linter.3F.html">Security linter?</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="187142879"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Security%20linter%3F/near/187142879" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Nicolas Bigaouette <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Security.20linter.3F.html#187142879">(Feb 01 2020 at 02:31)</a>:</h4>
<p>Hi all! Not sure where to ask, so doing so here...</p>
<p>At $dayjob we are scanning our code base with security "linters". Those include for example Bandit for Python (<a href="https://github.com/PyCQA/bandit" target="_blank" title="https://github.com/PyCQA/bandit">https://github.com/PyCQA/bandit</a>) or gosec for go (<a href="https://github.com/securego/gosec" target="_blank" title="https://github.com/securego/gosec">https://github.com/securego/gosec</a>).</p>
<p>Those tools will go further than what clippy does. Instead of looking at "code quality" patterns they look for security issue. For example they contains lints for if your app listen on all interfaces, weak crypto usage or even committed credentials.</p>
<p>Since those tools are used as part of a process, I am sure the question of whether such a tool exists for rust will arise.</p>
<p>Does something like this already exists? I don't know the internals of clippy, but could a "security" lint category be possible?</p>



<a name="187142934"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Security%20linter%3F/near/187142934" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Security.20linter.3F.html#187142934">(Feb 01 2020 at 02:32)</a>:</h4>
<p>Clippy has quite a few security lints, primarily focused around <code>unsafe</code> ATM.</p>



<a name="187206774"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Security%20linter%3F/near/187206774" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Security.20linter.3F.html#187206774">(Feb 02 2020 at 14:11)</a>:</h4>
<p>There is a bunch of Clippy lints, mostly in <code>correctness</code> category, that flag incorrect use of <code>unsafe</code>. Last I checked Clippy developers were open to making a security category too: <a href="https://github.com/rust-secure-code/wg/issues/27#issuecomment-454477101" target="_blank" title="https://github.com/rust-secure-code/wg/issues/27#issuecomment-454477101">https://github.com/rust-secure-code/wg/issues/27#issuecomment-454477101</a><br>
I don't think any checkers for committed credentials exist yet, but I expect Clippy is the easiest way to implement them.</p>



<a name="187279526"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Security%20linter%3F/near/187279526" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Nicolas Bigaouette <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Security.20linter.3F.html#187279526">(Feb 03 2020 at 16:42)</a>:</h4>
<p>Great, thanks both! Having this kind of security lint directly in clippy would be awesome. I'll take a look at the issue tracker.</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>